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(_^ ' Abstract. In secure multi-party computation n parties jointly evaluate an n-variate function / in the presence of an 

Cn ' adversary which can corrupt up till t parties. All honest parties are required to receive their correct output values, 

^,,^, irrespective of how the corrupted parties under the control of the adversary behave. The adversary should not be 

j^ ■ able to learn anything more about the input values of the honest parties, then what can be inferred from the input 

and output values of the corrupted parties and structure of the function. 

Almost all the works that have appeared in the literature so far assume the presence of authenticated channels 

[«. . between the parties. This assumption is far from realistic. Two directions of research have been borne from relaxing 

*%i ' this (strong) assumption: (a) The adversary is virtually omnipotent and can control all the communication channels 

in the network, (b) Only a partially connected topology of authenticated channels is guaranteed and adversary 

controls a subset of the communication channels in the network. 

P^ ' This work introduces a new setting for (unconditional) secure multiparty computation problem which is an inter- 

r ) ' esting intermediate model with respect to the above well studied models from the literature (by sharing a salient 

. , feature from both the above models). We consider the problem of (unconditional) secure multi-party computation 

^ ■ when 'some' of the communication channels connecting the parties can be corrupted passively as well as actively. 

' We model communication channels as entities just like parties and consider a few different types of channels, 

namely fully secure channels, authenticated but eavesdroppable channels, partially tamperable channels and fully 

tamperable channels. For this setting, some honest parties may be connected to several other honest parties via 

^ ' corrupted channels and may not be able to authentically/privately communicate with them. Such parties may not be 

(.~:> I assured the canonical guarantees of correctness or privacy. Honest parties which are not guaranteed correctness or 

O^ . privacy properties are called sacrificed, as is done for the notion of almost everywhere secure computation (above 

c7^ ' model (b)). We present appropriate definitions of security for this new intermediate model of secure computation 

lO ' for the stand alone setting. We show how to adapt protocols for (unconditional) secure multiparty computation to 

jy^ , realize the definitions and also argue the tightness of the results achieved by us. 
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1 Introduction 

In secure multiparty computation a set of n parties jointly compute some function / of their inputs in a secure 
way, in the presence of an adversary controlling a subset of t parties. There are two canonical guarantees 
of the interactive computation process: (1) Correctness (2) Privacy. The correctness guarantee is that the 
correct output value is received by all the honest parties. The privacy guarantee is that irrespective of how 
the corrupted parties behave the adversary learns nothing more about the private inputs of the honest parties, 
then what can be inferred from the (initial/committed) input values of the corrupted parties, the output value 
and the structure of the function /. 

Since the seminal works on secure multiparty computation, fYaoS^l, IIGMW87 1. fBGWSSl and IICCD88II 
this area has been heavily explored. The one common assumption which almost all these works make is the 
availability of authentic/secure channels between every pair of parties. The reason for this assumption has 
been the belief that the communication channels can be easily realized through physical infrastructures like 
LAN, WAN, fibre optic cables etc. which provide the basic security features or by cryptographic schemes 
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like PKC. Secondly, it seems to have been assumed that no meaningful guarantees can be achieved if basic 
reliable communication is not assured to the parties. 

The former belief is not well founded, because physical channels, though realistic, usually cannot assure 
reliability, let alone secrecy, in the presence of an active intruder. Secondly, it is not realistic to assume the 
availability of such channels between every pair of parties in the network because it imposes a very high re- 
quirement on the communication infrastructure. This becomes specially relevant in the information theoretic 
setting when PKI, digital signatures become irrelevant. Thus, three natural settings arise from questioning 
these assumptions: What meaningful security guarantees can be achieved (1) when no authentication mech- 
anism is available (2) when only a partially connected topology of secure channels is available (3) when the 
adversary can corrupt and control the communication channels connecting the parties to various extents. 

||BCL+05l consider this very weak model, of type (1), when the adversary can fully control the commu- 
nication between the parties. For such a feeble model, not much can be guaranteed because the adversary 
can complete disrupt any computation process. Yet theoretically this is an interesting model to consider and 
the results given in |BCL"'"05| have an interesting flavor. It is shown that the adversaries strategy can be 
restricted to either message relaying or conducting independent executions with disjoint subsets of honest 
parties, and the only dependence that the adversary can achieve, between these executions, is by running 
these executions sequentially and choosing its input in second execution after receiving its input from the 
first. 

|Vay07 |, IIGQ08II consider the second model when only a partially connected network of secure chan- 



nels is available to the parties, called almost everywhere secure computation. In contrast to I' BCL+OSl . this 
model is theoretically and practically interesting for the case of information theoretic adversary only. On the 
other hand, although the adversary considered in ||BCL+05l is given too much power to assure any mean- 
ingful security guarantees for practical purposes, a.e.s.c. actually assures meaningful security guarantees to 
a large number of honest parties, if not all the honest parties (communistic settings are one example where 
they become relevant). Recall that the canonical guarantees of correctness and privacy has to be sometimes 
"sacrificed" for some honest parties that are surrounded by bad neighborhood of maliciously corrupted par- 
ties. Thus, depending on the statistical guarantees about the subset of maliciously corrupted parties, a.e.s.c. 
makes only statistical guarantees about the subsets of honest parties for which correctness and/or privacy 
properties are assured, for special families of incomplete networks. 

We consider the intermediate setting (c) when an "information theoretic" adversary (which renders PKI 
based solutions useless) can partially control a subset of communication channels in various ways. Depend- 
ing on the actual subset of communication channels corrupted by the adversary and the type of corruptions 
of the channels, not all honest parties may be able to achieve the guarantees of correctness and privacy 
just as in ||Vay07p, IIGO081 . For example, if a fairly large number of communication channels connecting 



an honest party are totally corrupted, then this party may not be able to commit to its intended input value 
or guaranteed to receive its correct output value. On the other hand, if a large number of communication 
channels connecting to this honest party are authentic but eavesdroppable, then the privacy of its input value 
or that of its output cannot be guaranteed. Thus the canonical guarantees of correctness or privacy may have 
to be dropped for some of the honest parties. We present results for the new model of secure computation, 
in the framework of almost everywhere secure computation. 

Results in IIGO08II for a.e.s.c. hold for the case of honest-but-curious type of passive corruptions (The 
reader is referred to | VayIOa| for related exposition). However, theoretically meaningful and practically 



relevant realization of this model is for the case of malicious corruptions. Handling malicious corruptions 
requires a novel approach for formulating the definitions of security and in particular, the privacy property 
of protocols because we find that for this model there is no satisfactory way to apply the Trusted third party 
paradigm. In | Vay07p , an appropriate definitional framework was proposed to realize almost everywhere 



secure computation on special types of incomplete networks, for handUng the case of malicious adversary. 
In this work, we refine the definitional approach proposed in [Vay07[ further, to present results for the 



new model: (Unconditional) secure multi-party computation with man-in-the-middle attacks. We define the 
Correctness and Privacy properties for the new model separately. Thus, our definition of security for the new 



model has the flexibility to guarantee correctness property for a certain subset of honest parties and privacy 
property to a different subset of honest parties. Exactly which subsets of honest parties are guaranteed the 
Correctness or Privacy properties, of course depends on the subset of corrupted parties and channels and 
how the parties and communication channels between the parties are corrupted by the adversary i.e., the 
specific element of the adversary structure. We capture the various types of man-in-the-middle attacks on 
the communication channels, by associating with each channel an ideal description of its behavior (and in 
particular interaction with the adversary) under different types of attacks. Finally, we show how to realize 
our definitions of security for the new model by adapting standard protocols for unconditional secure multi- 
party computation. 

Lastly, from a practical point of view many different types of man-in-middle attacks may be considered 
in realistic scenarios. Computer networks often face the threat of the following type of security attack. An 
intruder inserts itself between two communicating parties, both of which believe that they are talking to 
each other, while the attacker deletes, modifies or simply eavesdrops the messages exchanged between the 
parties. More generally, such an attacker can carry out the attack in a coordinated fashion and sabotage a 
large number of communication channels of the network. In particular, the attacker may use the messages 
received on one communication channel to modify or inject new messages on a different channel. At the 
same time interesting variations exist for the lower level protocols, for protecting integrity and privacy of 
the messages communicated over the channels. They give rise to interesting combinations of channels and 
man-in-middle attacks in this work. 

1.1 Related works 

The notion of almost everywhere secure computation for incomplete network and an overall approach to 
realize it, was presented in HGOOSII . by Garay and Ostrovsky and Vaya in ||Vay07[. In iGOOS], the authors 



present Input indistinguishability type definition of privacy for almost everywhere secure computation. The 
input indistinguishability type definitional approach was first proposed in fKKM094'| in a different context. 
A hybrid argument was given to realize this definition for honest-but-curious type passive corruptions in 
IIGQ08LIIKKMQ94I . 

Assuming that strictly more than [^J parties are honest, it has been shown that it is possible to se- 
curely compute any «-variate function, IIBGW88II . IICCD88.I for the information theoretic regime. In the 
computational model, the results have been given in IIGMW87L IIYao82ll . 

The trusted third party paradigm was proposed in IIGMW87II (It has been extended to propose universal 
composability framework in its most general form). 

1.2 Organization of the paper 

In Section |2l we present preliminaries requisite for the presentation of our results. In Section |3l we present 
a complete definition of security for the stand alone setting. In Section IH we discuss the application of this 
definition of security to a few interesting settings of unconditional secure multiparty computation. 

2 Preliminaries 

We first review some standard notations and terminologies for (unconditional) secure multiparty computa- 
tion. This is followed by formal definitions of security for the vanilla setting. 

Definition 1. A function 6 : A'^ — )• [0, 1] is called negligible if for all oQ and for all large enough k^N,we 
have 5{k) < k~'^. 

Definition 2. A distribution ensemble X = {X{k,a)}keN,cie{G,\Y is an infinite set of probability distributions, 
where X{k,a) is associated with each k G N and a G {0, 1}*. A distribution ensemble is called binary if it 
consists only of distributions over {0, 1}. 



Definition 3. Distribution ensembles X and Y are called statistically indistinguishable if for all sufficiently 

large k and a, SD{X,Y) = jUa \Prob{X = a) —Prob(Y =b)\ < h{k) for 8(.) a negligible function. 

Power — Set {F) refers to the set of all subsets of a set f. A mixed network A'^ is referred to as a triplet 
{V,E,Ed), where V refers to a set of vertices, and E refers to the set of undirected edges and Ed refers to the 
set of directed edges. 

2.1 Ciiaracteristics of tiie tiie adversary 

If ^ corrupts a party actively, it gains complete control over the party its input value, its random tape, 
its program and is free to send arbitrary messages on the behalf of the party, while also receiving all the 
messages sent to the party by other parties. The party is said to be passively corrupted when the adversary 
just gains the privilege to receive all the inputs, outputs and messages exchanged by it with other parties. We 
set up adversary structures to handle corruptions of parties as well as channels, passively as well as actively. 

2.2 Some notations relevant to secure multiparty computation 

Let n be a multiparty protocol executed by a set of players (P . We define the View of a player as the set of 
inputs, random bits used by the player and all the messages received by the player during the execution of 
the protocol. Likewise, the View of adversary is the vector of views of the players corrupted by it. Further, 
the distribution of the views of the players/adversary is defined as the distribution of these views, generated 
from executing the multiparty protocol, taken over different random choices made by the players and the 
adversary. This distribution is defined for a vector of inputs given to the parties. Formally, 

Let multiparty computation protocol n be executed by a set of players f. Variable Viewp- "^ ( C , / ) 
refers to the random variable denoting the view of pj, when multiparty protocol H is executed by the set 
of players P with input vector / , when adversary A corrupts quadruplet C . Correspondingly, the random 

variable Viewx {C , I ) denotes the vector of views of subset of players X, constituted from executing 
protocol n amongst set of parties P with input vector / . Distributions over these random variables are 

defined along the same lines and refereed to as View^ '^'^ (C , I ) and View-^ ( C , / ), respectively. 

3 Formal definition of (unconditional) secure multiparty computation for the stand alone 
setting 

Let n = (n\n^) refer to a two phase multiparty protocol. Let (P = {P\,P2, ■ ■■ ,Pn} denote a set of parties. 
Let 3^ = (ji,j2,-- • jjn) denote the vector of input values, where j,- = 3^[/] G {0,1}* refers to the input 
value of the f^ party P,. We ascertain the correctness of commitment and computation phase of the protocol 
separately, while privacy property is ascertained for the entire protocol. 

3.1 Correctness of the input commitment phase 

Input commitment phase should possess the following properties: 

1. Honest parties commit to their intended input values: All the honest parties are able to successfully 
commit to their initial input values, as long Jl corrupts less then or equal to [^^^J parties. 

2. Commitment is binding: Postfacto the termination of the Input commitment protocol, none of the parties 
are able to modify the committed values, irrespective of how the corrupted parties behave from here on. 

3. Non-malleability of commitment: The adversary should not be able to commit to input values that are 
dependent/correlated with the input values committed by the honest parties, except for negligible prob- 
ability. For information theoretic setting, this requirement can be seen as a finer aspect of privacy. If 
the adversary is successful in violating the non-malleability requirements, then it can distinguish input 
vectors which are more likely to have been committed by the honest parties, from those which are less 
Ukely, based on its view. Thus, this requirement is taken care of as a finer aspect of the privacy property. 



Formally, input commitment protocol IT^ is correct iff we can associate an «-variate function revealni (.,.,.... 
with it, which when applied to the transcripts of the parties generated by the execution of protocol IT^ ex- 
tracts the vector of input values committed to by the parties. Furthermore, for the honest parties the values 
reported by reveal () are always same as the initial input values; and committed values of all of the parties 
are same even if arbitrary transcripts are substituted for the corrupted parties instead of the actual transcripts. 
If one can associate such a function revealQ with IT^ then protocol IT' is called correct. Lastly, the identity 
of the locations of transcripts of honest parties should not be relevant for this function, as long as [^J + 1 
inputs of revealYii are the true transcript values that were generated in the execution of the protocol. 



Remark 1. The domain of function revealQ is the set of vectors of valid transcripts generated from the 
Input commitment phase and range is the set of vectors of values committed by the parties. Typically, the 
correctness property of Input commitment phase, is defined by requiring that there exists a corresponding 
algorithm REVEAL() using which the shared secret can be revealed/extracted by the parties, from the vector 
of their transcripts. Above revealQ is a functional characterization of the VSS protocol, as opposed to an 
algorithmic one. Indeed, a constructive way of proving such a characterization i.e., proving that revealQ 
exists is to demonstrate that there exists an algorithm by execution of which one may extract the secrets 
shared (i.e., input values committed) by the parties, from the transcripts. 

Let 3^, n be as above. Tl^ {p ,'f , r , C , .^ ) is used to refer to the vector of input values committed to by 
¥ on the execution of IT^ starting with some vector of input values 3^, randomness T", when Jl corrupts 
subset C Cf. 

Definition 4. The input commitment phase IT^ of protocol IT is correct iff there exists an n-variate function 
revealni : {{0, 1,_L}*}" — > {{0, 1}*}", which can be associated with IT^ such that it satisfies the following 

properties. Let Trans = Il\j.^^^^{v ,~f ,r ,C,^), denote the vector of transcripts of V, generated by the 
execution o/Il^ Then, 

1. Let T" = reveal^i {Trans). yPi ^ C :lt[i\= 3^[/] i.e., honest parties are able to corrupt their initial input 
values. 

2. yTrans' : [(VP,- ^ C : Trans [i] = Trans[i]) -^ (revealni (Trans ) = reveal^ (Trans))] i.e., the transcripts 
of the honest parties are sufficient to extract the values committed to by all the parties irrespective of the 
transcripts of the corrupted parties. 

Further, n^(2',3^,r ,C ,S^) = revealni (Trans), is used to refer to the vector of input values committed by 

3.2 Full definition of multiparty computation for stand alone setting, for vanilla model 

A MPC protocol should possess two properties: Correctness and Privacy. Correctness of computation is 
defined in a straightforward manner. Our definition of privacy is based on the following understanding: 
Suppose a multiparty protocol is executed with some subset of corrupted parties. A view of the honest 
parties and corrupted parties is generated in the process. Based on this view, the adversary may try to make 
inference about the inputs of other honest parties. We require that an indistinguishable distribution of views 
of the adversary be computable just from the initial input values, committed input values and the output 
value of the corrupted parties. This amounts to arguing that the adversary can infer nothing more about the 
input values of honest parties, then what can be inferred from these values alone. More elaborate exposition 
is presented later in this section. 

Let / : ({0, 1}*)" — > {0, 1}* be an «-ary functionality. Let / = (/i,/2, • • • ,in) denote the vector of input 
values of the parties. 



Definition 5. Let f be an n-ary function as defined above. Let IT = (n\n^) be a two phase multiparty 
protocol, as according to Definition |?] Then, H securely evaluates / if the following conditions hold true 
yc C P of parties corrupted by S4., for which \P — c\ > L^^J + I-' 

i. Correctness: Let '^ refer to the vector of input values committed by the parties on execution ofYl^.. 

Then, for all honest parties pt £ P— C the following holds true: n^(^)p. = f{lt). 
2. Privacy: There exists simulators {Sim\,Sim), which take inputs the subset C, 3^^, '^ c> f{'^)> adversary 

program A, and generates the distribution of views of the adversary A, such that 

(a) Sim^icfc^^cJi^)) -Vl^TiC,f,^,f{^)) 

(b) Simfic,^c^^c)-Vl^T^^iC,^,^) 
for all feasible adversaries A, for all functions f. 

Remark 2. 1. Note that the simulator Sim is given both y'^- and itc i.e., the initial input values and the 
input values committed by the corrupted parties and the output value f{lt). The simulator aborts and 
ignores those sessions when the corrupted parties commit to input values different then T"c. For infor- 
mation theoretic regime there is no constraint on the running time of the simulator. The distribution is 
compared with the distribution of views of the adversary that are generated from the real execution of 
the protocol when the parties start with initial input values 'f and committed to T^. If the distributions 
generated from the two cases are proved indistinguishable, it amounts to saying that the adversary gains 
no more knowledge about the input values of other honest parties then what could be computationally 
derived just from the initial input values and the committed input values. 
2. It may be possible that the corrupted parties are able to commit to values which are some how correlated 
to the input values of the honest parties. This should not be allowed. The requirement of simulator Simi 
helps to achieve this non-malleability requirement (which can be seen as a breach of privacy of honest 
parties) for the input commitment phase IlMn a clean manner. This is seen as follows. The definition 

of privacy implies that Simf {C,'f(^,ltc) ~ View^ ' {c,'f,lt). This in turn implies that for any two 

sets of vectors xt,yf and x|,y| for which {xtc,ytc) — i^c^y^c) ^^^^ ^^^^ that: View^ ' {C,yt,xf) « 

VieW(. ' (C,3'|,x|). This is saying that, irrespective of what input vectors the honest parties start with, 
the views of the corrupted parties generated from the commitment phase, depend only on their own 
initial input values and the values committed by them. Thus, for every vector of input values committed 
by the adversary, each possible vector of input values of honest parties is equally likely. 

3.3 Exposition of the definition of privacy 

Violating privacy property in the information theoretic setting amounts to an adversary inferring information 
about the input values of honest parties that it is not supposed to. Adversary can make any inference about 
the input values of other parties on the basis of its own view only. If it is shown that an indistinguishable dis- 
tribution of views of the adversary can (always) be generated from a certain set of values, then it implies that 
the adversary can infer nothing more about the input values of honest parties than what can be information 
theoretically inferred on the basis of this set values, and the structure of the function / only. Obviously, then 
the adversary cannot distinguish between the different vectors of input values of honest parties, which are 
(maximally-yet-equally) consistent with its own view, with any useful advantage. This is the understanding 
on which the definition of privacy is founded. 
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" As defined above, the vector of input values committed by the parties is specified by vector T" = 11 (2",^", r , CJ?) = 
revea/p[i [Trans) 

The variable VieWi~' [C ,1^ c ^^ c) ^^ ^^ defined at the beginning of the section, and used rather canonically in cryptographic 
literature 



Let us review the formal statement of the definition of privacy: There exists a simulator Sim such that 
for all corruptions C G T , vectors of initial input values 'f and committed input values it the following 
condition holds true: 

Now imagine a table consisting of the following three columns: Vector of committed input values of 
corrupted parties, vector of input values of honest parties (for honest parties the committed input values = 
initial input values, for the rest they may differ) and the output /(^) that parties set out to compute. Fill 
up the rows of the table for all plausible choices of input values etc. that may be used in the multiparty 
computation. Different rows of the table must differ in at least one column entry. The goal of the adversary 
is to zoom on to the smallest subset of table entries which are (maximally-yet-equally) consistent with its 
view generated in real execution of the multi -party protocol. This set of compatible table entries correspond 
to the plausible vectors of input values that honest parties could have used in the computation. Table entries 
which ai^e incompatible (or correspond to negligible probability of occurrence) with adversaries view are 
rejected. The guarantee of the definition of privacy is, that the set of non-rejected table entries must certainly 
include the following subset of entries: The subset of rows which are compatible with the actual input values 
committed by the corrupted parties and the output value generated in real execution of the protocol. Thus, fix 
the distribution of views of the adversary as k, Sim( /, , I^ , Out) (where /, is the vector of initial input values 
and Ic is the vector of committed input values of the corrupted and sacrificed parties) for some real execution 
of the multi -party protocol. Then the adversary cannot distinguish between any two distinct vectors ^i i^ it 2 
of input values, which the honest parties could have started with, for which /(^i , Ic) = fi'^2, h ) = Out, 
with any significant advantage. 

4 A new model for unconditional multiparty computation 

Using the above approach for defining privacy we can give results for realizing almost everywhere secure 
computation (aka a.e.s.c.) on special families of incomplete networks for the case of general Byzantine 
corruptions, in a follow up work. Now, we consider a new intermediate model for multiparty computation 
when communication can face limited disruption and present results for it. 

In lBCL"'"05l . authors consider a very weak computational model for MPC, when the adversary can 
fully control the communication between the parties. For such a feeble model, not much can be guaranteed 
because the adversary can complete disrupt any computation process. Yet theoretically this is an interest- 
ing model to consider and the results given in [BCL+05| have an interesting flavor. It is shown that the 
adversaries strategy can be restricted to either message relaying or conducting independent executions with 
disjoint subsets of honest parties, and the only dependence that the adversary can achieve, between these 
executions, is by running these executions sequentially and choosing its input in second execution after 
receiving its input from the first. 

In | Vay07[ , ||GO08| consider a different model of MPC when only a partially connected network of 



secure channels is available to the parties, called a.e.s.c. In contrast to f BCL+OS! . this model is theoretically 
and practically interesting for the case of information theoretic adversary only. On the other hand, although 
the adversary considered in llBCL+051 is given too much power to assure any meaningful security guarantees 
for practical purposes, a.e.s.c. actually assures meaningful security guarantees to a large number of honest 
parties, if not all the honest parties (communistic settings are one example where they become relevant). 
Recall that the canonical guarantees of correctness and privacy has to be sometimes "sacrificed" for some 
honest parties that are surrounded by bad neighborhood of maliciously corrupted parties. Thus, depending 
on the statistical guarantees about the subset of maliciously corrupted parties, a.e.s.c. makes only statistical 
guarantees about the subsets of honest parties for which correctness and/or privacy properties are assured, 
for special families of incomplete networks. The reader may refer to HGOOSII for a thorough discussion on 
theoretical and practical reasons of studying a.e.s.c. on incomplete networks. 

Consider the following intermediate model (with respect to LGOOSJ and ||BCL"'"05| ). when an "infor- 
mation theoretic" adversary (which renders PKI based solutions irrelevant) can partially control a subset of 



communication channels in various ways. Depending on the actual subset of communication channels cor- 
rupted by the adversary and the type of corruptions of channels, not all honest parties may be able to achieve 
the guarantees of correctness and privacy just as in |Vay07) , HGOOSi For example, if a fairly large set of 
communication channels connecting an honest party are totally corrupted, then this party may not be able to 
commit to its intended input value or be guaranteed to receive its correct output value. On the other hand, if 
a large number of communication channels connecting to this honest party are authentic but eavesdroppable, 
then the privacy of its input value or that of its output cannot be guaranteed. Thus the canonical guarantees 
of correctness or privacy may have to be dropped for some of the honest parties. We give results for this 
intermediate model, in a.e.s.c. framework. 

From a practical point of view, also, many different types of man-in-middle attacks may be considered 
in reaUstic networks. Computer networks often face the threat of the following type of security attack. An 
intruder inserts itself between two communicating parties, both of which believe that they are talking to 
each other, while the attacker deletes, modifies or simply eavesdrops the messages exchanged between the 
parties. More generally, such an attacker can carry out the attack in a coordinated fashion and sabotage a 
large number of communication channels of the network. In particular, the attacker may use the messages 
received on one communication channel to modify or inject new messages on a different channel. At the 
same time interesting variations exist for the lower level protocols, for protecting integrity and privacy of 
the messages communicated over the channels. They give rise to interesting combinations of channels and 
man-in-middle attacks. 

We give results for this new model, called (Unconditional) secure multi-party computation with man- 
in-the-middle attacks, in a.e.s.c. framework. Realizing a.e.s.c. on incomplete networks, while handling the 
case of Byzantine corruptions, requires a more complex, cumbersome argument and has been presented in 
a follow up work. 

5 Modelling communication channels with a man-in-the-middle attacker 

In this section we present an ideal functionality description for communication channels that captures dif- 
ferent types of channel corruptions. 

A directed channel e„ ,, from party /?„ to party /?,, behaves as a secure channel if it is uncorrupted. The 
message received by the entity modelling the channel e„ y from party pu is received by party py after a few 
rounds r (a number which is physically hardwired in the channel). We consider a few different types of man- 
in-the-middle attacks by associating appropriate behavioral description with the communication channels as 
follows: 

1. Authenticated but eavesdroppable channel models a commonly considered man-in-the-middle attack in 
which the adversary has the power to wiretap a communication line between two parties (say for example 
a telephone or a fiber optic cable) but cannot influence the integrity of the data communicated over it. 

2. Partially corrupted channel Consider the following type of tampering of messages sent on the commu- 
nication channel. The adversary gets a function a = f{x, r) of message x sent over the communication 
channel. It corrupts a arbitrarily and forwards P = func{a) on the channel. The receiver receives the 
message /^^(P,r). This type of channel behavior models man-in-the-middle attack on a communication 
channel which may have some underlying mechanism to protect the confidentiality of the data sent on 
the channel. For example, the communication channel may hide the message by a one time pad be- 
fore sending the message over the channel. When the message is received at the other end, the original 
one time pad is removed by XORRing the received message with sequence of random bits r, before it 
is passed to the party. In this sense, this type of corruption of the communication channel models the 
compliment of the authenticated but eavesdroppable channel. This is one variation which results in the 
case when the correctness property of some honest parties may be compromised, however privacy may 
or may not be preserved in different executions (for example, when the messages communicated over 
several such channels are corrupted so that the default value "d" is committed to by the relevant party 
which is known to all the rest of the parties). 



3. Fully tamperable channel models the type of man-in- the-middle attack in which the adversary receives 
the message being sent on the channel as it is and gets enough number of rounds to corrupt the message 
arbitrarily before forwarding the message to the receiving party. This case considers the more tradition- 
ally studied flavor of man-in- the-middle attacks. 

We assume a setting in which all the parties are synchronized with respect to a common clock. In every 
round, parties may engage in some computation after which they send some messages to other parties. 
The messages are exchanged by honest parties over the communication channel, which can be potentially 
corrupted in various ways. We assume that a message sent on the communication channel takes r rounds 
for the receiver to receive and r is publicly known constant. Furthermore, the adversary corrupting the 
message sent on the communication channel has limited flexibility on how it is allowed to interact with the 
communicated channel. For example, the adversary may be allowed only a limited number of rounds to 
corrupt the message sent on the channel and protocol may be constructed so a receiving party may discard 
untimely received messages (detecting that they were corrupted). 

Let r > 6 be a publicly known constant. Let C denote a vector whose elements denote different types of 
channel and node corruptions as follows. The directed channel from 5 to /? is referred to by F^{S,R,edgeid) 
and the Ideal functionality for this directed channel from S to Ris defined as follows: 

Definition 6. F^{S,R,edgeii]), denotes a directed communication channel from S to R, with unique identity 
edgCid, synchronized with respect to a global clock, and executes as follows: 

1. edgCid G L [2].' (Passively corrupted channel) If message {S,R,mesg — id,m) is received from party S 
in round i, then F^{S,R,edgeid) records it and forwards the message {S,R,mesg — id,m) to A in round 
i + 1, and to party R in round i + r—\. 

2. edge id G L [3].' (Partially corrupted channel) 

(a) If (^S,R,mesg — id,m) is received from S in round i, F^(^S,R,edgeid) records the message, round 
number etc., chooses a sequence of random bits of appropriate length r, records it and forwards the 
message {S,R, mesg — id, m®r) to A in round i + 1. 

(b) IfF^(^S,R,edgeid) receives message (^S,R,mesg — id,m') to be sent to party R from Ji inroundkfor 
k < i + r — 2 then continue, else drop the message. F^(^S,R,edgeid) checks the validity, time stamp 
etc of the message from previous records. F^{S,R,edgeid) retrieves the sequence of random bits r 
and forwards the message (^S,R,mesg — id,r(Bm') to R in round i + r—l. 

3. edge id G C^[4].' (Fully corrupted channel) 

(a) If (^S,R,mesg — id,m) is received from S in round i, F^(^S,R,edgeid) records the message, round 
number etc. and forwards the message {S,R,mesg — id,m) to A in round i+\. 

(b) In round kfork < i + r — 2, F^(^S,R,edgeid) receives the message {S,R,mesg — id,m') to be sent to 
party Rfrom A. F^(^S,R,edgeid) checks the validity, time stamp's etc of the message from previous 
records and forwards the message to {S,R, mesg — id, m') to R in round i + r—\. 

4. Otherwise: (Fully secure channel) If message {S,R,mesg — id,m) is received from party S in round i, 
F^{S,R,edgeid) records it and forwards the message {S,R,mesg — id,-L, \m\) to !A in round /+ 1, and 
message {S,R, mesg — id, m) to party R in round i + r—\. 

5.1 Adversary structure for the model and its characteristics 

We set up adversary structures to handle the various combinations of corruptions of parties and channels. 

Definition?. Letr c{{Xp,Xa,'yp,ra,'yb,%)\Xp,XaCV,7'p,'ya,9'h,'yt CV*V,andXpr\Xa = <\>,rpr\^ar\'yhn'yt 
(|)}, where Xp denotes the subset of parties corrupted passively, Xp denotes the subset of parties corrupted 
actively, 'Jp denotes the subset of channels corrupted passively, 'J a, 'Jb denote the subset of channels cor- 
rupted maliciously but partially and % denotes the subset of channels corrupted maliciously and totally. 
An adversary A is called T -restricted if all possible sextuplet of subset of parties corrupted passively and 
actively, subset of channels corrupted passively, and subset of channels corrupted partially and totally, by 
A belong to the set T . 



C is used to refer to a sextuplet of corruptions that belong to adversary structure T . C is called feasible 
corruption, if there exists a subset of honest parties H :\H\> \Jj\ + 1, such that every two parties that 
belong to H are connected via a secure channel. A feasible adversary structure 1 is defined along the same 
lines. 

5.2 Security implications for a given adversary structure 

In secure multi-party computation, the correctness property of an honest party is considered compromised 
if the honest party is not able to commit to its intended input value or it does not receive the correct output 
value. The privacy property is considered compromised if the adversary gets to learn even partial informa- 
tion about the input value of the honest party, that it is otherwise not supposed to. Depending on the type of 
channels by which an honest party may be connected to other participating parties, correctness or privacy 
may not be guaranteed to it. Depending on the specific element of adversary structure, we specify which par- 
ticipating honest parties are guaranteed the Correctness (and Privacy). Honest parties may have to sacrifice 
Correctness or Privacy depending on the type of communication channels they are connected to. 

1. Every honest party that is part of a sub-clique of size at least \]^\ + 1 of passively corrupted or uncor- 
rupted honest parties, which are connected to each other via authenticated-but-eavesdroppable or secure 
channels will be guaranteed the Correctness property. 

2. Every honest party that is part of a sub-clique of size at least [^J + 1 of passively corrupted or uncor- 
rupted honest parties, which are connected to each other via only secure channels will be guaranteed the 
Privacy property. Note that the condition does not allow the honest party to be connected via partially 
tamperable channels for which the adversary can corrupt the value being sent on the channel, without 
getting to learn the actual value being sent. This is because by manipulating data being sent on such 
channels and control of other corrupted parties, the adversary may falsify the honest party, get the party 
declared as "corrupt" (as happens in the input commitment phase of IIBGW88B . IICCD88II protocols) and 
them to commit to the default value "d". In this case, the default value is learned by all the participating 
parties and hence also the adversary. Thus, the privacy property of the party is compromised. Also, note 
that depending on how the adversary controls the communication channels, this situation may not always 
arise and honest party may be able to sometimes commit to its input value, which the adversary does not 
get to learn. However, whether or not this happens, depends on the actual execution of the protocol and 
choices made by the adversary. Since we cannot always guarantee the privacy of this honest party, we 
say that the privacy of such a party is sacrificed. 

5.3 Correspondence between the adversary structure and (un)sacrificed parties 

Based on the above conditions we formally describe a function Comp, whose domain is defined as the set of 
all (feasible) adversary structures and whose range is set of sets of tuplets of the form {Sc,Sp), where Sc is the 
subset of honest parties which are guaranteed the Correctness property and Sp is the subset of honest parties 
which are guaranteed the Privacy property. The function Comp will be used in the main security definitions 
for the new model. It is defined in terms of a function func whose domain is the set of conuptible vectors (as 
discussed in Definition IT) and whose range is the set of tuplets of form {Sc,Sp), where semantic of Sc and Sp 
is as defined previously in this paragraph. Thus, we have Comp{'T ) = {func{Ci), func{C2), ■ ■ ■ ,func{Cm)}, 
where C, is the i''' feasible vector of corruptions as defined above. Function func(Ci) = {Sc,Sp) defines the 
subsets of honest parties which are guaranteed the Correctness and Privacy properties corresponding to a 
given vector of corruption. 

1. x^Sc iff party x belongs to a sub-clique Sub of parties which are connected to each other via eavesdroppable- 
but-authenticated channels or secure channels and the size of this sub-clique \Sub\ is greater than 

L^J + 1. 

2. X £ Sp iff party x belongs to a sub-clique Sub of parties which are connected to each other via (only) 
secure channels and the size of this sub-clique \Sub\ is greater than [^J + 1. 
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5.4 Some technical subtleties in defining security for the new model 

We briefly argue why there is no satisfactory way of formulating definitions of security for the new model 
using the "Trusted third party" paradigm. 

For this model of multi-party computation(and likewise for a.e.s.c. on incomplete networks), we en- 
counter scenarios for which the input value committed by (and the output value received by) a sacrificed 
honest party may or may not be influenced by the adversary, while the adversary may not always get to learn 
the actual value committed by the sacrificed honest party. We give an example to illustrate the issue: An hon- 
est party may be connected via several (partially) corrupted communication channels to other parties. The 
adversary can corrupt the message sent over these channels but is not able to view the actual message sent 
on them. Thus, depending on the choices made by it, the adversary could get the honest party declared as a 
'fraud' and get it to commit to the default value "d". Clearly, all parties including the adversary gets to learn 
the input value committed by the party in such executions. However, in other executions of the protocol, the 
adversary may just pass the (hidden) message over the communication channel without disturbing it at all 
or modifying it slightly so that the input committed is a function of the original value and is not able to learn 
the input value committed by the party. Thus, whether or not the privacy of the honest party is compromised 
varies from one execution to another. Since it is not always guaranteed for this vector of corruption, C , we 
say that the privacy of this honest party is "sacrificed". 

Depending on the type of corruptions of the communication channels connected to a given party, similar 
scenarios may arise when the input value of the sacrificed honest party may not be extractable from the 
adversaries view. Thus depending on the choice made by the adversary, such sacrificed parties may act 
neither as an honest parties, nor as actively controlled by the adversary. However, standard composition 
theorems for multiparty computation protocols are statements about the joint distribution of the views of 
the honest and corrupted parties and more then independent claims about Correctness and Privacy property 
for the parties. Since the sacrifice of only one of these properties for an honest party places it neither in the 
category of fully corrupted nor in the category of uncorrupted, there is no straightforward way to employ 
standard composition theorems for this model of secure multiparty computation. 

More generally, we find that there is no clean and satisfactory way to incorporate the interaction of 
sacrificed parties with the 'Ideal functionality' depending on the dynamic choices made by the adversary. In 
fact, it is not clear what output some of the sacrificed parties should get from the Ideal functionality, because 
in real execution of the protocol the output may be dynamically influenced by the adversary controlling 
multiple communication channels connected to the party. These issues have also been discussed in IIGO08II . 
Due to such technical issues, we are required to explore a different approach for formulating the definitions 
of security for the new model. Since we cannot utihze standard composition theorems, we restrict ourselves 
to the stand alone setting. 

5.5 Definition of security for the new model 

We propose definitions for the new model in almost everywhere secure computation framework. For this 
setting not all the honest parties are guaranteed to receive the correct output values or be able to preserve the 
privacy of their input values etc.. Honest parties for which this cannot be ensured, are said to have sacrificed 
these properties respectively. 

Let T be a feasible adversary structure. Section |7] Recall the security implications of feasible adversary 
structure, where we study what subsets of honest parties can be guaranteed the Correctness and Privacy 
properties depending on the particular element of the adversary structure, C . In particular, when the vector 
of parties and channels corrupted by the adversary is C, we are required to guarantee correctness for subset 
He and privacy for subset Hp, where {Hc,Hp) = func{C). Globally, Comp{'T) is used to refer to the set 
of tuplets of subsets, namely {Hc,Hp), which are guaranteed the Correctness and Privacy properties for the 
adversary structure T . We now adapt the formal definitions given in previous section to include the notion 
of sacrifice for the new model. 
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Correctness of the input commitment phase Let {Hc,Hp) = func(C), where the functions func,Comp 
have been discussed in Subsection l5.2l The input commitment protocol should have the following properties 
to be correct (1) All honest parties in subset //^. should be able to commit to their initial input values, 
irrespective of the behavior of the corrupted parties (2) Binding: All parties are committed and the committed 
input values of all the parties are determined by the transcripts of the honest parties H^ alone. Formally, Let 
(P refer to a set of participating parties. Let A be an adversary restricted to adversary structure T , Definition 
|7] Let C refer to the sextuplet of parties and channels corrupted by the adversary .^ in a given execution. 

Definition 8. Let H = (n^n^) be any two phase multiparty protocol. The input commitment phase IT' is 
(T , Compel ))-correct if there exists an n-variate function reveal^ii : {{0, 1, _L}*}" —?■ {{0, 1}*}", such that 

the following conditions hold true for all feasible C corrupted by A. Let Trans = ^jransi'^ > 3^; '' > ^) -^ )> 
denote the vector of transcripts of parties V, generated by the execution o/H^ Let it = reveal^ix {Trans). 
Let {Hc,Hp) =Comp{C). The following condition holds for subset of (unsacrificed) honest parties H^: 

L Unsacrificed honest parties He commit to their intended input values: \/Pi € He : x,- = j,-, with probability 

greater than 1 —fj{n),for some negligible function fjL). 
2. Binding for all the parties: "^Trans' : (VP,- €//c '■ Trans' [i] = Trans[i]) — t- {reveal^ii (Trans') = reveal^n {Trans)). 

Full definition of security for the new model Correctness of the multi-party protocol follows by ensuring 
the correctness of the commitment phase and correctness of computation phase of the protocol. The require- 
ments for the former have been formalized in the previous subsection. The requirements for the latter are 
relatively straightforward to formalize. First recall the feasible adversary structure T and the correspondence 
of adversary structure T to the unsacrificed honest parties, expressed by functions func,Comp as discussed 
in Section|7j We require that all honest parties belonging to subset He, where {Hc,Hp) = func{C), should 
receive the correct output value f{~f), when the vector of input values committed to by the parties is 3^. 
Privacy property of the multi-party protocol is formalized along the same lines as was done for the vanilla 
model in previous Section. Multi-party protocol is said to satisfy the privacy property, if there exists a sim- 
ulator which can generate the distribution of the views of the adversary generated during real executions of 
the multi-party protocol, from the initial input values, committed input values of the parties belonging to 
subset P — Hp (i.e., sacrificed and corrupted) and the output value alone. Formally, 

Definition 9. Let T ,Comp,func and f,'f,P,sl,'C be defined as before. Let II = (n\n^) be a two-phase 
multiparty computation protocol, satisfying Definition^ formalizing correctness of Input commitment phase 
n'. n, (T , Comp{'T ))-securely evaluates function f if there exists a simulator Sim, such that for allC £ T 
corrupted by A, the following condition holds true for the subset of honest parties Hc,Hp, where {Hc,Hp) = 
func{'U): 

L Correctness: Let it be the vector of input values committed to by the parties, after the execution of input 
commitment phase Yl^ Then, for all pi € He : n^(^, C ,Sl,r )„.= /(^]3 

2. Privacy: Simulator Sim, takes as input C , ~tp^H > '^p-h,> output f{'^), adversary program A and gen- 
erates a distribution ofviewsof 9i, such that: Sim^{C ,1 ,'^p_ff^,ltp^H,,f{^)) ~View-^ (C ,Tx^,3^,/(T^),T'). 
for all feasible adversary structures T . 

Note that in the above definition, the simulator Sim is given the input values of some sacrificed honest 
parties. These values may not always be extractable from the actual view of the adversary. This issue has 
been addressed in the explanation of the above definition in the footnote belowfj. 

We have the following result for the new model. 



^ ^ <— n'(y', C ,.3, r ), as defined above 

^ The equality condition can be relaxed for the case of probabilistic function to ~. 

Imagine a table consisting of the following three columns: Vector of committed input values of corrupted/sacrificed parties, 
vector of input values of unsacrificed honest parties (for honest parties the committed input values = initial input values, for 
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Theorem 1. There exists a multiparty computation protocol H' that T -securely evaluates function f ac- 
cording to Definition |9] for all feasible adversary structures T . 

Multiparty computation protocols like fBGWSST, IICCD88II etc. are known to be resilient against a com- 
putationally unbounded adversary which can corrupt at most [^^J parties. Thus, we have the following 
well known claim for the stand alone setting. 

Theorem 2. There exists a multiparty computation protocol Tl that securely evaluates function f as accord- 
ing to Definition \5\ 

Using the above Theorem |2l we show how to realize almost everywhere secure multiparty computation 
when a subset of communication channels can also be corrupted. 

Theorem 3. There exists a multiparty computation protocol Tl' that T -securely evaluates function f ac- 
cording to Definition |9] for all feasible adversary structures T . 

Proof. Let IT be an (unconditionally) secure multiparty protocol from Theorem|2j for the vanilla setting. The 
underlying assumption for Theorem [2] is that it takes one round for a message sent on the secure channel 
to reach the party at the other end. Thus, a trivial variation is to consider an adaptation of the multiparty 
protocol n when the underlying communication channels take r rounds to deliver the messages sent on it 
(Thus parties engage in computation only at the Qmodr'^ round). This is achieved by blowing each single 
round of multiparty protocol n to a slot of r rounds, such that the parties are now activated only at the 
beginning of each slot (i.e., in corresponding rounds Omodr). Let IT' be this adapted multiparty protocol that 
satisfies the Theorem|2]for this set up. Further modify n' so that each ordered pair of parties (of the n*n—l 
ordered pairs in all) is provided a unique non-overlapping slot for transmission, arranged in an arbitrary 
but predetermined order. Thus, each slot of n' is now replaced with a block of n*{n — I) non-overlapping 
super-rounds, each of which itself consists of r rounds. Let n" be this resulting protocol. In protocol n" 
the first super-round is allotted for party Pi to transmit any message to party P2, the second super-round 
is allotted for party Pi to transmit any message to party P3 and so on and so forth. The entire sequence of 
n*{n — l) such super-rounds constitutes a block of super-rounds of protocol n". 

We shall show that protocol FI", {T ,Comp{T ))-securely evaluates function / as according to Definition 
121 for all feasible adversary structures T . The proof is a reduction argument which proceeds in two stages. 
In the first stage, we claim that Theorem [3] holds true for all feasible adversary structures, that have a special 
type of adversary structure, if Theorem[2]is true. In the second stage, we shall show that if Theorem [3] holds 
true for all special feasible adversary structures, then it holds true for all feasible adversary structures. 

The special feasible adversary structures are feasible adversary structures which have no channel cor- 
ruptions of type 3 and type 4 i.e., for these feasible adversary structures C [3] = C [4] = (|). There is a 
straightforward reduction from Theorem [3j for the case of adversaries restricted to such feasible adversary 
structures, to Theorem |2l Intuitively, this is straightforward because corruption of communication channels 
of type 3 and 4 do not need to be handled and passive corruption of channels is taken care of by passive 



the rest they may differ) and the output f{~^) that parties set out to compute. Fill up the table rows for all plausible values of 
multiparty computation. Different rows of the table must differ in at least one column entry. The goal of the adversary is to zoom 
on to the smallest subset of table entries which are (most-yet-equally) consistent with its view generated from real execution of 
the multi-party protocol. This set of compatible table entries correspond to the plausible vectors of input values that unsacrificed 
honest parties started with. Table entries which are incompatible (or correspond to negligible probability of occurrence) with 
adversaries view are rejected. The guarantee of the definition of privacy is the following. The subset of non-rejected table entries 
must certainly include the following subset of entries (as long as adversary is T -restricted): The subset of rows of the table which 
are compatible with the actual input values committed by the sacrificed honest parties, the corrupted parties and the output 
value generated in the real execution of the protocol. 

Thus, fix the distribution of views of the adversary as ~ Sim{ /,■ , /^ , Out) (where /; is the vector of initial input values and 
Ic is the vector of committed input values of the corrupted and sacrificed parties) for some real execution of the multi-party 
protocol. Then, the adversary cannot distinguish between any two vectors ^, y" of initial input values, with which unsacrificed 
honest parties could have started with, as long as it is true that /(^, h) = /(T', h) = Out. 
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corruption of corresponding parties whenever necessary (when an honest party is connected to at least ^^ 
other parties via passively corrupted channels or the parties are themselves passively/actively corrupted). 

We now focus on the second stage reduction, in which we will show that for every T -restricted adversary 
a' that attacks the execution of protocol Yl" , there exists a corresponding adversary ;i, that attacks the 
execution of protocol IT", but is restricted to a corresponding special feasible adversary structure described 
above, for which Theorem |3] holds true. We now describe the adversary structure for J^. 

Let the adversary Si' corrupt a feasible sextuplet C € T. Since C is feasible, so there exist subsets of 

honest parties Hc,Hp C P, {Hc,Hp) = func{C ) such that |//c|, \Hp\ > [^J + 1 for which we are required 
to satisfy the Correctness and Privacy properties as according to Definition |9l 

The strategy of SI is as follows. Ji corrupts C , such that C [0] = He —Hp (passively corrupted) and 
C[l] = P — Hc (maliciously corrupted). Furthermore, y{pi,,Pv) '■ Pu&-Pv tHp — > {pu,Pv) G C[2] i.e., all 
channels outside subset Hp are passively corrupted. This is the only type of corruption we consider for SI 
i.e., C [3] = C [4] = (|) and the rest of the channels are inside Hp and are secure. Thus, from our construction 
of C , it is easy to verify that func{C) = {Hc,Hp) (from the definition oi func in Subsection |5.2| ). 

SI will attack the execution of protocol n" for this corruption, while internally simulating the view of 
Si' perfectly. We shall show that the parties belonging to subset He and Si' cannot distinguish between these 
two scenarios, namely when they are participating in Case A) si' attacking execution of protocol n", while 
corrupting C or Case B) Ji attacking execution protocol n", while corrupting C and internally simulating 
A . Correctness and Privacy of protocol n against si would then follow, si acts as follows: 

1. For parties belonging to C [1]: .5? internally simulates Si' for the maliciously corrupted parties belonging 
to the subset C [0] . The messages to be delivered by parties belonging to C [0] to other parties and vice 
verse are first passed through the simulations of corresponding communication channels, which may or 
may not be (partially) controlled by si'. Note that some of the parties belonging to C [1] are not ma- 
liciously corrupted by Si' but behave corrupted because there are too many corrupted communication 
channels connected to them. For these case, also SI carries out the appropriate simulation by first simu- 
lating the protocol for honest party, then simulating the communication channel on which this message 
is supposedly to compute the message which is finally sent by SI . 

2. For parties belonging to C [0]: si internally simulates the role for honest parties for parties belonging to 
C [0] while also appropriately simulating the view of Si'. 

3. For communication channels: The messages sent by the parties to other parties and received by the 
parties from other parties, may be (partially/fully) corrupted when they are sent on the communication 
channels. These communication channels are internally simulated by Si to correspondingly simulate 
the view of Si', before the possibly modified message is transmitted to other parties Or are internally 
simulated to correspondingly constitute the view of Si ' after the message has been received by the party 
via the secure/passively corrupted channel. 

We claim that the following two conditions are simultaneously true after every super-round of execution 
of protocol n" for the two settings: Case A) when Si' attacks execution of protocol n", while corrupting C': 
Case B) when Si attacks execution of protocol H", while internally simulating Si' as described above and 
corrupting C. 

1 . The distribution of the views of the honest/semi-honest parties in H^ are indistinguishable after every 
super-round. 

2. The distribution of the views of Si' generated from Case (A) and Case (B) are indistinguishable after 
every super-round. 

It is easy to verify from the construction of Si', described above, that if these two conditions are si- 
multaneously true after super-round j for case (A) and case (B), then they are simultaneously true after 
super-round j + \ etc. 
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Hence the distribution of transcripts of the parties at the end of the Input commitment phase are indis- 
tinguishable. In particular, the same function revealu", from case (A), also possesses the requisite charac- 
terization of the Input commitment phase of protocol 11" being attacked by Si'. Now conditioned to the fact 
that the input values committed to by all the parties are the same for two executions corresponding to case 
(A) and case (B), the distribution of transcripts of the honest parties belonging to the subset H^ are also 
indistinguishable after the last round of the protocols IT' and IT", which implies that the output values for 
deterministic functions (and the distribution of output values for the case of probabilistic functions) of the 
honest parties are also same. The Correctness property of protocol IT" when adversary Ji', corrupting C , 
attacks its execution follows from Correctness property of protocol IT" when adversary Ji, corrupting C, 
attacks its execution. 

Privacy: The proof of Privacy of protocol IT", when si' attacks its execution, just involves skillfully trans- 
ferring the above work. 

For the privacy condition it is enough to demonstrate an appropriate simulator Sim' which satisfies the 
conditions as according to Definition |9] The simulator Sim' is given the initial input values and the input 
values committed to by the parties belonging to subset P — Hp besides the output value and is required to 
generate distribution of views of the adversary SI ' that is indistinguishable from the ones generated in real 
execution of the protocol IT". 

Now recall the construction of subset of honest parties Hp, for which the Privacy property is guaran- 
teed. Each honest party P, G Hp is connected via secure channels to at least [^J honest parties which are 
connected to each other via secure channels only. It is easy to verify that by our construction of Si and the 
definition of functions Comp and func for feasible adversary structures: the subset of parties Hp for Case 
(A) (when si' attacks the protocol execution), is the same as the subset of parties Hp for Case (B) (when Si 
attacks the protocol execution). 

There exists a simulator Sim that generates the distribution of views of adversary SI which is indistin- 
guishable from the distribution of the views of these parties generated from real execution of the protocol, 
for Case (B) by definition of privacy property. Simulator Sim is given initial input values, committed input 
values for parties belonging to subset P — Hp besides the output value. The same simulator Sim ■^ Si can be 
invoked for Case (A) as well. 

For case (A), we know from above that SI internally simulates si' i.e. Sim <^ SI <^ si'. Now let Sim' = 
Sim <^ SI who in turn interacts with si' to generate the distribution of the views of si' i.e., Sim' <^ si'. If 
the distributions of views of si' generated by the above simulator Sim', and the distribution of views of Si' 
generated during the real execution of protocol IT' are distinguishable, then it translates to distinguishability 
in the distribution of views of SI generated from the real execution of the protocol, from the distribution of 
views of SI generated by the simulator Sim, contradicting the privacy property for protocol IT" for Case (B). 

Remark 3. However, simulations when the committed input values for corrupted and sacrificed parties are 
different then the ones given to the simulator (What values have been committed to by the corrupted and 
sacrificed parties in the commit phase is verified at the end of the first phase of the protocol as the simulator 
can compute the committed input values for these parties from its own view) are discarded and are only 
required to produce the simulation for the case when the input values committed to by these (corrupted and 
sacrificed) parties is the one given as only that case is required to correspond to the output values - given to 
the simulator. Therefore, we only consider the simulated output distribution of the views of the adversary 
si' conditioned to the above fact. 
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A An alternate exposition of the definition of privacy of new model 

We adapt the underlying concept of simulation in Zero-Knowledge protocols to formulate the definition of 
the privacy property for the stand alone setting, for the vanilla model. Subsequently, the notion of "sacrifice" 
of honest parties is incorporated in the definition, for the new model. This conceptual exposition has been 
included here for the sake of completeness from |VaylOc[ . 

We shall first examine the role of simulator in several different definitions of security of two party or 
multiparty protocols and what demonstrating a simulator for these applications is supposedly understood. 
We then present a meta-definition which captures the bare bone "skeletal" of these definitions. We then 
explain how the understanding subsumed in the meta-definition is employed to define privacy property of 
these protocols and also in this work. 

The celebrated work on Zero Knowledge Proofs introduced the fundamental notion of knowledge com- 
plexity and defined 0-Knowledge Proofs (ZKPJj. Loosely, a protocol is called a 0-KP if the verifier does 
not gain anything from interacting with the prover which it could not have generated by itself, except for 
one bit i.e., validity of some statement. This is formalized as follows: A protocol is ZKP iff there exists a 
PPT simulator which given the inputs available to both the parties, the verifier's program and any auxiliary 
values with the verifier, can generate a distribution of transcripts of the verifier which is indistinguishable 
from the distribution of transcripts generated in real execution of the protocol. Let us examine this closely 
by considering an example. 

Consider a ZKP in which the verifier is given an auxiliary input Anx but has limited space (i.e., space 
bounded). The (cheating) verifier tries to use the auxiliary input in order to extricate some extra knowledge 
while executing the protocol with the prover. As a result a transcript T is generated with the verifier. Af- 
terwards, due to space constraints the verifier deletes the auxiliary input Aux. Clearly, now the verifier does 
not seem to be able to generate an indistinguishable looking transcript of the verifier, because the verifier 
does not have the auxiliary input Aux with it, which the simulator takes as input. Does the same transcript T 
which was earlier considered to convey 0-knowledge, now represent anything more to the verifier ? Why or 
why not? How much knowledge is contained in the transcript (of and) for the verifier? A statement that is 



One may want to keep in mind the following sentence from page 295 (second last paragraph) of the historic paper IGMR85I 
while formulating the notion of knowledge, "With this in mind we would like to derive an upper bound (expressed in bits) for 
the amount of knowledge that a polynomially bounded machine can extract from a communication. Further review the definition 

forLe/fC(/(n)) 
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consistently true both before and after the verifier deletes the auxiliary input Aux from its tape is: Whatever 
knowledge the verifier could (PPT) computationally derive from the transcript T, can also be computation- 
ally derived just from the initial input value which is given to both parties, the verifier's program and the 
auxiliary input value Aux. When the verifier also possessed the auxiliary input then this could be interpreted 
to mean that T contained 0-knowledge for the verifier. Similar understanding is used to define the privacy 
property of multiparty protocols proved secure via simulation paradigm: An ideal process and real process 
are described. In the ideal process the power of the adversary looks "somewhat" curtailed and parties are 
given access to an ideal functionality, while the simulator simulates the protocol execution and generates 
views of all the parties. Distribution of these views of the adversary generated from the two processes are 
proved to be indistinguishable for the two cases to claim the privacy property of the protocol. But what is 
really implied in inferring the privacy property from such a proof, as in IIGMW87I ? It is that the view of the 
adversary (for the ideal process case) could be generated by a (PPTM or just TM) simulator which is given 
access only to some input values and output values of the corrupted parties. Nevertheless, aside from these 
input and output values there are many other messages that are part of the view of the adversary even for 
the case of ideal process. So the underlying understanding is: The adversary cannot derive any more infor- 
mation about the input values of the honest parties, then what can be (PPT) computationally (or information 
theoretically whatever the case may be) derived just from its own input and output values. This is interpreted 
as the Privacy property of the protocol. 

Towards this end, we intend to capture the essence of demonstrating a simulator in definitions of ZKP 
and some other definitions of multiparty protocols (like the original definition in [,GMW87,I ). The following 
meta-definition of simulator captures the essential skeletal of these definitions of security: A simulator is 
hypothetical mental construct which is used to prove properties that should exist about the relations between 
input values, intermediate values and output values generated by the execution of a multiparty protocol with 
a given adversary. 

Let us see how we arrive at this meta-definition. First see that the distribution of transcripts generated 
by simulator Sim by interacting with verifier's program V can be produced just by a single Turing Machine 
U which is given the following auxiliary inputs: A string of bits encoding the program of the simulator Sim, 
a string of bits encoding the program of the verifier Ver. The Turing machine U takes as input, the input 
value / and the auxiliary value of the verifier Aux. U is also given a random tape. U simulates internally the 
interaction between the simulator and the verifier by interpreting the strings Sim and Ver as two procedures 
which have separate tapes/memories for performing read and write, but who are also given a common 
shared memory corresponding to the interactive tapes for communication. U detects when the simulation 
has failed and verifier needs to be rewound to an earlier state and does this when necessary by maintaining 
a stack. Finally, U outputs a distribution of transcripts. It is easily seen that U runs in time polynomial in the 
running times of the original simulator Sim and the verifier Ver and produces the output in one shot without 
interactive computation of any kind. 

The output of Turing Machine U on input I, Aux is the requisite distribution D[, i.e., U{I,Aux)r = D{^ ^ 
P <r^V{I,Aux). Looked another way U is aTuringMachine which is just computing the value of a probabilis- 
tic function func{., .) whose domain is all possible tuplets that correspond to values that can be assigned to 
I,Aux and range is a distribution of transcripts of the verifier. Furthermore, func{I,Aux)r Ri P f-)- V{I,Aux). 
The property of function func{.,.) that it is PPT computable is interpreted to mean that the verifier does not 
derive anything more computationally from interacting with the prover, then what could be derived by the 
verifier itself. We emphasize the point here that the verifier may or may not have access to the simulator or 
the auxiliary values to participate in the simulation at the time of simulation. However, it is the property of 
the function func(.,.) i.e., PPT computability of func{.,.) that matters here and which we care about. In other 
words, the simulator is merely an "abstract" construct which has nothing to do with what may or may not be 
achievable/available in reality and is used only to demonstrate how the initial input, auxiliary input, string 
encoding verifier's program relate to the intermediate and output values i.e., the transcripts generated in the 
execution of the protocol. What is achieved by demonstrating such a simulator is a proof of some properties 
of the "existing" relations between the different values possessed by possibly different parties. This method- 
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ology is "constructive" (we demonstrate an algorithm). The interesting property that the function func{.,.) 
possesses from our perspective is that it is PPT computable. 

This understanding is extended to the case of multi-party protocols in a straightforward manner. 
More specific comments about the definition of privacy in this work: For the information theoretic case, 
violating the privacy property of the multi-party protocol can be reduced to the adversary distinguishing 
between plausible input vectors of unsacrificed honest parties on the basis of its own view. If it can be 
shown that the view of the adversary can be (indistinguishably) generated using only some vectors of input 
values of corrupted, sacrificed partie and output values, we are done. What we infer from this proof is that 
the adversary has gained nothing more about the input vectors of unsacrificed honest parties than what could 
be information theoretically inferred using these values alonqj. 

Under the light of the above discussion, let us review the formal definition of privacy in this work: There 
exists a simulator Sim such that for all feasible corruptions, initial input values 3^ and committed input 
values ^ the following condition holds true: 

Sim^(C ,T ,N,'f'p_jj,ltp^H,f{^)) ~ View-^ (C ,lt,'f,f{lt),l^). Consider another set of vectors x 

-4-4 — 4 ^ 

and y , such that y p_fj = 'fp^H^ ^ p-h = '^p-h (i-c, values corresponding to sacrificed and corrupted 
parties) and /(^) = f{x ). For these values privacy property implies that: 

Sim^{t,T ,N,'^P_H,'7p^Hj0))^Vi^'^^{t,'^ ,'7 J{7)=f{-t),-^). 

•- -4 

Now observe that the inputs of the simulator Sim are same for both the cases as ~fp^H — y p-h^ 
itp^H = X p-H and f{lt) = f{x ), which implies that: 

View-pk (^ j^j'f ,f{'^):~t^) ~yi^w^ ( L , jc ,y ,f{'^),l^) i.e., As long as the initial input values, com- 
mitted input values of the sacrificed honest parties and corrupted parties and the final output value are 
same, the distribution of views of the adversary are also same, i.e., the adversary cannot distinguish between 
the two set of input values of the unsacrificed honest parties used in computation with any advantage. 



^ We give an example of a typical case that arises in our analysis, that more clearly justifies the choice of definition on our 
work. If an honest party is connected via tamperable-but-private channels to several (> [f + lj) other parties, then the message 
communicated on these channels can be corrupted and in fact the input commitment phase for this party can completely fail. 
In this case, the default value "d" is committed on behalf of this party, which is known by all other parties. Depending on the 
choices made by the adversary this may not always happen and the honest party may sometimes be able to commit to its initial 
input value, without this value being divulged to the adversary. Thus, whether the privacy property of this otherwise honest party 
is compromised or not, depends on the dynamic choices made by the adversary. But, if the privacy property for a party is ensured 
sometimes and not ensured at other times, then it is "sacrificed" i.e., "not guaranteed". Such cases occur in our analysis in this 
work and justify why the simulator is given the input values of these "sacrificed" honest parties always - hence this definition 
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